From: Nancy Durgin Date: Wed, 23 Jan 2019 20:00:30 +0000 (-0800) Subject: Fixed bug caused by the way .checksetparams was undef'd Fixed bug caused by the way .checksetparams was undef'd Previously, had undef'd it by making it an operator. Now just use an immediate reference and undef it in the gs_lev2.ps file. This fixes bug introduced in commit fe4c47d8e25d6366ecbb5ff487348148b908a89e. Undef'ing .checksetparams by making it an operator doesn't work right because errors report .checksetparams as the offending function instead of the operator that uses it (setsystemparams in this case). This caused an error in file /tests_private/ps/ps3cet/27-09.PS on page 3, where it reports the offending function of some error-handling tests. Reporting function should be 'setsystemparams', not '.checksetparams' on this page. https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e7ff64cf9b756278f19c87d295ee0fd95c955c05 From: Ray Johnston Date: Thu, 31 Jan 2019 19:31:30 +0000 (-0800) Subject: Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF interp). Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF interp). We now keep GS_PDF_ProcSet in pdfdict, and immediately bind pdfdict where needed so we can undef it after the last PDF interp file has run (pdf_sec.ps). https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9 --- diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/gs_init.ps --- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3839-part2 2019-02-28 08:33:56.995374504 +0100 +++ ghostscript-9.07/Resource/Init/gs_init.ps 2019-02-28 08:34:35.073879701 +0100 @@ -2222,7 +2222,6 @@ SAFER { .setsafe } if /.setuserparams2 /.startjob /.checkFilePermitparams - /.checksetparams /.copyparam /.setpagesize diff -up ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/gs_lev2.ps --- ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-3839-part2 2019-02-28 08:35:01.038542311 +0100 +++ ghostscript-9.07/Resource/Init/gs_lev2.ps 2019-02-28 08:38:44.266647686 +0100 @@ -64,7 +64,7 @@ level2dict begin pop } ifelse pop pop } forall pop pop -} .bind odef +} .bind def % currentuser/systemparams creates and returns a dictionary in the % current VM. The easiest way to make this work is to copy any composite @@ -129,7 +129,7 @@ end /.setuserparams2 { % Check that we will be able to set the PostScript-level % user parameters. - /setuserparams /psuserparams .systemvar .checksetparams + /setuserparams /psuserparams .systemvar //.checksetparams exec % Set the C-level user params. If this succeeds, we know that % the password check succeeded. dup .setuserparams @@ -211,7 +211,7 @@ end } if /setsystemparams //pssystemparams mark exch { type cvlit /.checkparamtype cvx 2 packedarray cvx - } forall .dicttomark .checksetparams + } forall .dicttomark //.checksetparams exec % Set the C-level system params. If this succeeds, we know that % the password check succeeded. dup .setsystemparams @@ -1083,5 +1083,6 @@ end % level2dict [ /.checkprocesscomment /.pair2dict + /.checksetparams ] {level2dict exch .forceundef} forall diff -up ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/pdf_base.ps --- ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2019-3839-part2 2019-02-28 08:51:17.876974739 +0100 +++ ghostscript-9.07/Resource/Init/pdf_base.ps 2019-02-28 08:53:47.343056275 +0100 @@ -23,7 +23,6 @@ /.setlanguagelevel where { pop 2 .setlanguagelevel } if .currentglobal //true .setglobal -/pdfdict where { pop } { /pdfdict 100 dict def } ifelse pdfdict begin % Define the name interpretation dictionary for reading values. @@ -125,11 +124,11 @@ currentdict /num-chars-dict .undef /.pdfexectoken { % .pdfexectoken ? PDFDEBUG { - pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if + //pdfdict /PDFSTEPcount known not { //pdfdict /PDFSTEPcount 1 .forceput } executeonly if PDFSTEP { - pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput + //pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput PDFSTEPcount 1 gt { - pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput + //pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput } executeonly { dup ==only @@ -137,10 +136,10 @@ currentdict /num-chars-dict .undef ( ? ) print flush 1 //false .outputpage (%stdin) (r) file 255 string readline { token { - exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput + exch pop //pdfdict /PDFSTEPcount 3 -1 roll .forceput } executeonly { - pdfdict /PDFSTEPcount 1 .forceput + //pdfdict /PDFSTEPcount 1 .forceput } executeonly ifelse % token } { pop /PDFSTEP //false def % EOF on stdin diff -up ghostscript-9.07/Resource/Init/pdf_draw.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/pdf_draw.ps --- ghostscript-9.07/Resource/Init/pdf_draw.ps.cve-2019-3839-part2 2019-02-28 08:54:17.090674446 +0100 +++ ghostscript-9.07/Resource/Init/pdf_draw.ps 2019-02-28 09:06:50.804906849 +0100 @@ -18,8 +18,7 @@ /.setlanguagelevel where { pop 2 .setlanguagelevel } if .currentglobal //true .setglobal -/pdfdict where { pop } { /pdfdict 100 dict def } ifelse -GS_PDF_ProcSet begin +/GS_PDF_ProcSet load begin pdfdict begin % For simplicity, we use a single interpretation dictionary for all @@ -141,7 +140,7 @@ pdfdict begin /resolvefunction { % resolvefunction .resolvefn - PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if + PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if } bdef /resolvefnproc { % resolvefnproc @@ -907,7 +906,7 @@ currentdict end readonly def } bdef /.pdfpaintproc { % .pdfpaintproc - - PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if + PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if PDFfile fileposition 3 1 roll q 1 index /PaintType oget 1 eq { @@ -946,7 +945,7 @@ currentdict end readonly def /pdfemptycount exch def Q - PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if + PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if PDFfile exch setfileposition }bind executeonly odef @@ -986,7 +985,7 @@ currentdict end readonly def ] cvx put dup /BBox 2 copy knownoget { normrect put } { pop pop } ifelse dup /.pattern_uses_transparency 1 index patternusestransparency put - PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if + PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if } bdef /ignore_color_op ( **** Warning: Ignoring a color operation in a cached context.\n) readonly def diff -up ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/pdf_font.ps --- ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2019-3839-part2 2019-02-28 09:55:34.701833501 +0100 +++ ghostscript-9.07/Resource/Init/pdf_font.ps 2019-02-28 09:56:27.116147620 +0100 @@ -37,8 +37,7 @@ /.setlanguagelevel where { pop 2 .setlanguagelevel } if .currentglobal //true .setglobal -/pdfdict where { pop } { /pdfdict 100 dict def } ifelse -GS_PDF_ProcSet begin +/GS_PDF_ProcSet load begin % from userdict at this point pdfdict begin % We cache the PostScript font in an additional element of the diff -up ghostscript-9.07/Resource/Init/pdf_main.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/pdf_main.ps --- ghostscript-9.07/Resource/Init/pdf_main.ps.cve-2019-3839-part2 2019-02-28 10:02:48.872152118 +0100 +++ ghostscript-9.07/Resource/Init/pdf_main.ps 2019-02-28 10:12:44.687353440 +0100 @@ -18,8 +18,9 @@ /.setlanguagelevel where { pop 2 .setlanguagelevel } if .currentglobal //true .setglobal -/pdfdict where { pop } { /pdfdict 100 dict def } ifelse pdfdict begin +/GS_PDF_ProcSet dup load def % keep in pdfdict to hide it +userdict /GS_PDF_ProcSet undef % Patch in an obsolete variable used by some third-party software. /#? //false def @@ -177,8 +178,8 @@ currentdict /runpdfstring .undef /Page //null def /DSCPageCount 0 def /PDFSave //null def - GS_PDF_ProcSet begin - pdfdict begin + //pdfdict /GS_PDF_ProcSet get begin + //pdfdict begin pdfopen begin } bind def @@ -888,7 +889,7 @@ currentdict /xref-char-dict undef } bind def /pdfopenfile { % pdfopenfile - pdfdict readonly pop % can't do it any earlier than this + //pdfdict readonly pop % can't do it any earlier than this 32 dict begin /LocalResources 0 dict def /DefaultQstate //null def % establish binding diff -up ghostscript-9.07/Resource/Init/pdf_ops.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/pdf_ops.ps --- ghostscript-9.07/Resource/Init/pdf_ops.ps.cve-2019-3839-part2 2019-02-28 10:16:15.196597921 +0100 +++ ghostscript-9.07/Resource/Init/pdf_ops.ps 2019-02-28 10:17:01.082997269 +0100 @@ -24,6 +24,7 @@ systemdict /pdfmark known not { userdict /pdfmark { cleartomark } bind put } if +systemdict /pdfdict where { pop } { /pdfdict 100 dict put } ifelse userdict /GS_PDF_ProcSet 127 dict dup begin % ---------------- Abbreviations ---------------- % diff -up ghostscript-9.07/Resource/Init/pdf_sec.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/pdf_sec.ps --- ghostscript-9.07/Resource/Init/pdf_sec.ps.cve-2019-3839-part2 2019-02-28 10:21:16.760650506 +0100 +++ ghostscript-9.07/Resource/Init/pdf_sec.ps 2019-02-28 10:22:46.213473549 +0100 @@ -39,7 +39,6 @@ /.setlanguagelevel where { pop 2 .setlanguagelevel } if .currentglobal //true .setglobal -/pdfdict where { pop } { /pdfdict 100 dict def } ifelse pdfdict begin % Older ghostscript versions do not have .pdftoken, so we use 'token' instead. @@ -719,4 +718,7 @@ currentdict /PDFScanRules_null undef } bind def end % pdfdict + +systemdict /pdfdict .forceundef % hide pdfdict + .setglobal